You can't secure what you don't acknowledge.SM

Saturday, July 4, 2009

What are you celebrating today?

For those of you in the U.S., Happy 4th of July! Proudly wearing my "Bill of Rights" shirt. I think my next purchase from one of my favorite stores, CafePress.com, is going to be this button:

Kudos to the men and women who have fought for our freedom and independence to this point - cheers to all of you out there who still believe in it.

Wednesday, July 1, 2009

The definitive secret to success in your job and career

It all comes down to this. I couldn't agree more.

"Eighty-five percent of the reason you get a job, keep that job, and move ahead in that job has to do with your people skills and people knowledge." - Cavett Robert

Tuesday, June 30, 2009

Tool to take the pain out of threat modeling

Can you tell I'm getting caught up on talking about some neat security tools worth checking out!? Well, here's another one: Amenaza's SecurITree that I first wrote about in my book Hacking For Dummies, 2nd edition. It's a decision support tool you can use to analyze specific threats to your business and the likelihood of attack. Threat modeling is something that many people do in their head "qualitatively" (or not at all) but SecurITree helps you do more detailed "quantitative" analysis so you can drill down into the specifics.

The following are some screenshots of SecurITree with a sample decision tree loaded for analyzing home burglaries:

SecurITree's main interface showing the sample attack tree:


Drilling down to edit specific node data:


The process gets pretty technical and it's not for the faint of heart but the good news is that it's built-in Help explains just what you need to know.

SecurITree's Help window:


If you need details on which threats matter and the level of risk your business is up against, and don't know where to start you've got to check out SecurITree. This process can take some time, and as the folks at Amenaza admit, this process isn't foolproof but it could be well worth your investment.

While we're on the subject, check out this article I wrote on threat modeling.

Monday, June 29, 2009

Great way to maintain desktop security & integrity

If you're looking for a way to keep your Windows desktops locked down, safe from abuse, and clean reboot after reboot, check out Faronics Deep Freeze. It can save you a ton of time and headache...

Great source code analysis tool

Finally, I've found an affordable and effective static source code analysis tool! It's called CxDeveloper - a product Israel-based Checkmarx that's distributed/supported by U.S.-based Security Innovation. Whew....it's a little confusing but what can you do.

I've used CxDeveloper for over a year now and, like most products, it's not perfect. It crashes unexpectedly every now and then, it generates false-positives, its licensing process is kludgy and old-fashioned, and its reporting capabilities are somewhat limited. But who cares! CxDeveloper, by and large, works!

With the future of HP's DevInspect on the line (according to some of my clients, their HP reps are telling them they're end-of-life-ing it), Compuware's nice product SecurityChecker going away, and the other two "leaders" in this space (you know who they are) being so proud of their software that they price themselves out of the reach of many end users and consultants like myself, I can't think of a better time for a static source code analysis product like CxDeveloper to be rising through the ranks.

Here are a few screenshots of CxDeveloper to show you what it looks like and just how simple it is to run a software source code analysis. It's literally point to the source code, choose your scan options, and off you go. And, perhaps biggest of all, there's no need to integrate the tool within an IDE such as Visual Studio!

Various scan policies you can select from:

A scan in action:

Findings showing specific problems and the source code creating them:

"Pretty" summary report that management can appreciate:

Detailed findings report that developers and QA analysts can appreciate:

Keeping in mind the realities of source code analysis, if it's anywhere on your radar CxDeveloper is definitely worth checking out.